Acceptable Use Policy for Electronic University Resources

Scope

Computing, networking, telephony, and information resources of Loyola University Chicago are available to advance our education, research, health care and public service missions. Any access and use of these resources and services that interfere with these goals are prohibited. All who access and use these resources will abide by all applicable policies, legal and contractual requirements, and the highest standard of ethical principles and practices, when using these University resources. Breach of or disregard for access and acceptable use policies are grounds for revoking access privileges, and may lead to additional sanctions by the University, including referral to other authorities for civil litigation and criminal prosecution.

Individuals covered

This policy applies to all persons accessing and using computing, networking, telephony and information resources through any facility of the University. These persons include students, faculty, staff, persons retained to perform University work, and any other person extended access and use privileges by the University given the availability of these resources and services, and in accordance with University contractual agreements and obligations.

Systems and resources covered

This policy covers all computing, networking, telephony and information resources procured through, operated or contracted by the University. Such resources include computing and networking systems including those that connect to the University telecommunications infrastructure, other computer hardware, software, data bases, support personnel and services, physical facilities, and communications systems and services.

Policy on access and acceptable use

Computing, networking, telephony and information resources at the University, including access to local, national and international networks, are available to support students, faculty and staff as they carry out the University's instructional, research, health care, administration and public service missions. Therefore, the University encourages and promotes the access and use of these resources by the University community. However, access and use which do not support the University mission are subject to regulation and restriction to insure that they do not interfere with this legitimate work. Any access and use of computing, networking, telephony and information resources must not interfere with the University's instructional, research, health care and public service missions and should be consistent with the person's educational, scholarly, research, service, operational or management activities within the University. Those who access and use University computing, networking, telephony and information resources are to take reasonable and necessary measures to safeguard the operating integrity of the systems and their accessibility by others, while acting to maintain a working environment conducive to carrying out the mission of the University efficiently and productively.

Responsibilities regarding system and resource use

Persons who access and use university computing, networking, telephony and information resources are responsible for:

respecting the rights of other individuals, including compliance with other university policies for students, faculty, and staff -- these rights include but are not limited to intellectual property, privacy, freedom from harassment, and academic freedom,

exercising caution when committing confidential information to electronic media given that the confidentiality and integrity of such material are difficult to ensure,

activity connected with the individual's assigned account,

using systems and resources in ways that do not interfere with or disrupt the normal operation of these systems, nor interfere with the access and use of these systems and resources by others allowed to do so,

protecting the security of access to University computing and networking systems and the confidentiality and integrity of information stored on University computing and networking systems,

knowing and obeying the specific policies established for the system and networks they access.

members of the University community with access to University electronic resources may not use these resources in a way that implies that the University is actually or implicitly espousing a particular view, or endorsing any person, organization, product, service or belief; similarly, they may not use the name, logos, facilities or resources of the University for any personal, commercial or similar purposes, or to participate in or intervene in (including the publishing or distribution of statements) any political campaign on behalf of, or in opposition to, any candidate for public office.

Under no circumstances, may individuals give others access to any system they do not administer, or exploit or fail to promptly report any security loopholes. Individuals must act to maintain a working environment conducive to carrying out the mission of the University efficiently and productively.

Individuals may not under any circumstances deliberately circumvent or attempt to circumvent data protection schemes or uninstall or disable any software installed by the university for the purpose of protecting the university from the intentional or unintentional disclosure of information.

Systems and network administration, and facilities management

Administrators of systems and networks have the responsibility to protect the rights of users, to set policies consistent with those rights, and to publicize these policies to their users. They have authority to control or to refuse access to anyone who violates these policies or threatens the rights of other users. They have the responsibility to notify those individuals affected by decisions they have made. Administrators of systems and networks are empowered to take reasonable steps necessary to preserve the availability and integrity of the system, to restore the integrity of the system in case of malfunction, abuse, virus, and other similar situations, and to protect the integrity of University data and other assets. These steps may include deactivating accounts, access codes or security clearances, stopping processes, deleting affected files, and disabling access to computing, networking, telephony, and information resources.

All devices deployed in the PCI environment must be documented listing Acceptable uses for the technology, Acceptable network locations for the technology, along with a list of company approved products. Additionally, all devices within the PCI environment must be labeled containing the owner, contact information, and purpose of the device.

Demand for computing, networking, telephony and information resources may occasionally exceed available resources. Priorities should be established for allocating such resources, giving a higher priority to activities that are more essential to the mission of the University.

Access

Access to University computing resources is granted to ensure that all who use these resources are given sufficient access rights to fully perform their tasks without restriction, but no more. Please review the following policies for details of protecting information when accessing University computing resources:

Access Control Policy

Vendor Access to Internal Systems Policy

Password Standards

Appeal of an administrative decision

Individuals who disagree with an administrative decision may submit an appeal of the decision to the appropriate resource manager or systems administrator. From there, a student may submit an appeal to the Dean of Students, a faculty member through their department administration either to the Provost or to the Vice President for the Health Sciences, and a staff member through their management to the Vice President for Human Resources. Individuals must submit these appeals according to any rules and procedures issued by system administrators or component administrators.

Noncompliance and sanctions

Individual units within the University may define "conditions of acceptable use" for facilities and resources under their control. These statements must be consistent with this general policy but may provide additional detail, guidelines and restrictions. Such "conditions of acceptable use" should indicate the enforcement mechanism. Where no enforcement mechanisms exist, the procedures defined in the applicable University's standards of conduct, i.e., Student Handbook (students), Faculty Handbook (faculty), and Employee Handbook and Personnel Policies (staff), will apply. Where use of external networks is involved, policies governing such use also are applicable and require compliance by individuals using these networks, which include:

Acceptable use policies for these networks are available on the Internet. Disregarding policies and procedures concerning access and use of computing, networking, telephony and information resources may result in the denial or removal of access privileges by administrators of systems and networks, and may lead to disciplinary action under the applicable University's standards of conduct, as cited above. Additionally, such disregard may be referred to other authorities for civil litigation and criminal prosecution under applicable state and federal statutes.

Legal context for this policy

Regarding legal context, all existing laws (local, state and federal) and University policies, regulations and rules apply, including not only those laws, policies, regulations and rules that are specific to computers and networks, but also those that apply generally to personal conduct including Sexual Harassment: Faculty, Staff and Students.

Relationship of this policy with others

This policy supplements the Rights and Responsibilities for the Access and Use of University Computing, Networking, Telephony and Information Resources policies and the Access and Acceptable Use of Public Access Computing and Networking Facilities and Services. These policies are available and can be found on the Loyola University Chicago website. The University reserves the right to change the information, requirements and procedures announced in this policy. This policy will continue to be in effect until a further revision is required and promulgated. Consult the campus computing center or the appropriate system administrator for information on other policies, procedures or directives that supplement this policy.

History

September 4, 2009: Initial Policy

October 22, 2012: Corrected links

August 8, 2014: Add “Access” clause for PCI Compliance

October 13, 2014: Add PCI 3.0 labeling requirements

May 11, 2015: Annual review for PCI Compliance

April 21, 2016: Annual review for PCI Compliance

October 25, 2016: Changes to section "Responsibilities Regarding System and Resource Use" as Approved by President's Cabinet.